Make WordPress Core

Opened 3 years ago

Last modified 11 months ago

#21938 new enhancement

Add "no-store" to Cache-Control header to prevent history caching of admin resources

Reported by: soulseekah Owned by:
Milestone: Awaiting Review Priority: normal
Severity: trivial Version: 3.4
Component: Administration Keywords: has-patch
Focuses: Cc:


The current implementation of wp_get_nocache_headers does not take into account history caching, which results in a browser serving a cached copy of pages from history (by pressing the Back button) even if the user has long logged out.

RFC 2616 14.9.2 no-store describes this cache directive.

To repoduce: login to dashboard, logout, press the back button.
Expected: the login screen.
Reality: a copy of the previous page.

By adding the "no-store" directive to all non-cachable resources the behavior was mitigated successfully in Chrome 21, Firefox 15. Fails on Opera 12 (they chose to disregard "no-store" when applied to history, RFC allows this).

Attachments (1)

21938.patch (509 bytes) - added by soulseekah 3 years ago.
"no-store" please

Download all attachments as: .zip

Change History (9)

3 years ago

"no-store" please

#1 @kovshenin
3 years ago

  • Cc kovshenin added

#2 @ocean90
3 years ago

  • Cc ocean90 added

#3 follow-up: @toscho
3 years ago

  • Cc info@… added
Version 0, edited 3 years ago by toscho (next)

#4 in reply to: ↑ 3 @soulseekah
3 years ago

Replying to toscho:

That needs good tests. For example the behavior after POST requests can be quite annoying. Performance might be an issue too.

Agreed, under certain circumstances this could be a nuisance, especially if users are logged in and the admin bar is shown. As for performance, it seems that all of twitter is served with "no-store" and it does appear (to me) to be quite jagged navigation-wise.

Without a proper step-by-step testing plan in mind, I guess I'll use the patch in production for a bit to see if it causes any unexpected issues in general.

#5 @nacin
3 years ago

The other issue is sometimes you want the back button to be where you were last, without a complete reload. How many times have you lost a comment or some other content by clicking away (in WP or not) and scrambled to recover it?

#6 @SergeyBiryukov
3 years ago

  • Version changed from trunk to 3.4

#8 @nevma
11 months ago

It seems that Firefox actually needs the no-store as well, in order to not cache a page. Otherwise, it serves it from the BFCache. The no-store should be added to the wp_get_nocache_headers function in the Cache-Control header. This is what the MDN documentation in Using Firefox Caching mentions, too.

Note: See TracTickets for help on using tickets.